Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS signatures disappear on ids viewer

Folks,

I have an IDS 4210, with 4.x running on it. I recetly purchased it and testing it these days.

when i run a port scanner on my network the alarms are generated on the IDS.But, when i come the next day and look at the IDS viewer all the alarms are gone?? is their anyway i can preserve these alarms?

Also, could someone tell me the practical use of "IP LOGGING" Feature of the IDS. Does it enable IDS to collect extra data when it sees an alarm. Can i configure it to start logging when it sees a specific signature. Any feedback would be highly appreciated.

Thanks,

3 REPLIES
New Member

Re: IDS signatures disappear on ids viewer

Any update on Ip logging feature? thanks.

Cisco Employee

Re: IDS signatures disappear on ids viewer

The iplogging feature can either be manually started for a particular ip address or automatically started when a specific signature fires.

To manually start an iplog for an address use the "iplog" command in the CLI:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#378251

To automatically start an iplog when a signature fires you will need to configure the signature and select the action "log" for EventAction.

When an iplog is started it will capture all of the packets to and from the address and place them into a binary log file. This binary log file is in a libpcap format and can be read by most sniffers (including tcpdump and ethereal).

The easiest way to download an iplog file is through IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap4.htm#860259

But can also be downloaded through the CLI (using the "copy iplog" command you have the sensor ftp or scp it to your own ftp or scp server, and then you have to go and grab it from that server):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#377910

Why is this usefull. Quite often a user will ask what happened after a hacker was able to acess their network. This log file will show what ocurred after the alarm from that attacker ip address.

Other users have also used the iplog feature to determine whether or not an alarm was a false positive or a real attack.

NOTE: For users who don't need to look into a lot of packets, there is a feature in 4.1 known as "trigger packet". Unlike iploggin which captures the packet that caused the alarm as well as several packets afterwards, the "trigger packet" option will simply attach an encoded version of the one trigger packet directly to the alarm itself.

The "trigger packet" is viewable within IEV when looking at an alarm:

For configuring the "trigger packet" you will set the signature parameter 'Capture Packet" to True for the particular signature.

For viewing the "trigger packet" use the "show captured packet" option:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#1789

New Member

Re: IDS signatures disappear on ids viewer

Your events are not gone the next day, they have been simply archived. I believe the default is to archive the events at midnight each day. Which I believe is a bad idea since an attack could occur at 11:00pm and the next day when you look they have been archived, and you may never know. I set mine to 6pm, so shortly after I leave work, they are archived.

You can go into EDIT>PREFERENCES and adjust the archive setting there.

97
Views
0
Helpful
3
Replies
CreatePlease login to create content